Instructure hackers claim they stole data from nearly 9,000 schools

At a glance:

• ShinyHunters stole data from 8,809 schools worldwide
• Up to 280 million records of teachers, students and staff were taken
• Hackers threatened to publish data on May 12 unless a settlement is reached

What happened

ShinyHunters, an extortion‑focused hacking group, announced that it had breached Instructure’s cloud platform and exfiltrated data from 8,809 educational institutions across the globe. The group says it lifted 280 million individual records, encompassing teachers, students and staff members. According to BleepingComputer, the volume of data taken per institution ranged from tens of thousands to several million records.

The breach first surfaced when students at multiple campuses reported being unable to log into Canvas, Instructure’s flagship learning‑management system. TechCrunch observed defaced login pages for three schools, each displaying a message that the stolen data would be published on May 12 unless Instructure “negotiates a settlement.” ShinyHunters later clarified that the defaced portals resulted from a second, separate breach targeting the same platform.

Scope of the breach

Instructure confirmed that the attackers accessed names, email addresses, student ID numbers and private messages exchanged within Canvas. The company stressed that it found no evidence that passwords, dates of birth, government IDs, or financial information were compromised. The breach affected a wide array of institutions, from large research universities to community colleges, though the exact list of schools has not been disclosed.

The following institutions were publicly mentioned as being impacted:

• Harvard University (students lost Canvas access on May 7 at 3:30 PM)
• University of California, Irvine (students received pop‑up notices on Thursday)
• An unnamed third school whose login portal was also defaced

Impact on institutions

Students at the affected schools encountered immediate disruptions: Canvas logins redirected to a hacker‑crafted notice, and pop‑up alerts warned of a pending data dump. The threat of public exposure has forced administrators to scramble for contingency plans, including resetting user credentials and communicating with parents and regulators. For many institutions, the breach raises compliance concerns under FERPA and state privacy statutes, potentially exposing them to legal and financial repercussions.

Instructure’s response

Instructure acknowledged the incident within days of the initial reports, stating that it had rolled out patches for the first intrusion and temporarily shut down Canvas for several hours on May 7. The company emphasized that it was working with law‑enforcement agencies and cybersecurity experts to investigate the breach and secure the platform. While it has not disclosed any settlement negotiations, Instructure has urged affected schools to contact its incident‑response team.

What’s next

The deadline set by ShinyHunters—May 12—creates a narrow window for institutions to negotiate or risk the public release of the stolen data. Cybersecurity analysts warn that even if passwords were not taken, the harvested personal identifiers could be leveraged for phishing, credential‑stuffing attacks, or sold on underground markets. Stakeholders are advised to monitor official Instructure communications, enforce multi‑factor authentication for Canvas users, and review incident‑response playbooks in preparation for any potential data publication.